An extensive formal analysis of multi-factor authentication protocols

Jacomme, Charlie; Kremer, Steve

doi:10.29007/xrx7

Cited by 5 publications

(5 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Formal Security Analysis for MFA The literature related to formal analysis of MFA solutions is very recent. Jacomme et al [33] propose a threat model for MFA protocols that combines a classic Dolev-Yao attacker with different attacker levels. The different levels are modeled as read or write access to difference input and/or output interfaces composing the system (e.g., a key logger could be modeled as a malware with read-only access to the USB input interface).…”

Section: Discussionmentioning

confidence: 99%

“…There are some common choices between [33] and our analysis, such as the modeling of an attacker capability as a property of a channel: in [33] by giving read and/or write access to a private channel, in our case with the definition of security properties (see Section 5.3). The main difference is the relation of the security analysis with authenticator factors, while in [33] they assume only the password compromised, in our analysis the instance factors have a central role. As proposed in [6], we have defined a MFA goal based on them.…”

Section: Discussionmentioning

confidence: 99%

“…Since in our analysis we will focus on the authentication property, we assume that the registration and activation phases have been already performed, without any interference of attackers. This is a common practice [33,44] when dealing with authentication protocols consisting of a preliminary phase in which specific values are stored to set the protocol up. Indeed, since a trust relationship between SP app and IdTP is established as a result of the registration phase, it is important that IdTP validates the SP app data; if the activation phase is compromised (e.g., by a phishing app activated in place of the valid one), then no security guarantees can be achieved during the authentication as the attacker is able to generate valid OTPs and use them during the exploitation phase.…”

Section: Activation Phase Of Rm Totp and Rm Crmentioning

confidence: 99%

See 2 more Smart Citations

Formal Analysis of Mobile Multi-Factor Authentication with Single Sign-On Login

Sciarretta¹,

Carbone²,

Ranise³

et al. 2020

ACM Trans. Priv. Secur.

View full text Add to dashboard Cite

Over the last few years, there has been an almost exponential increase in the number of mobile applications that deal with sensitive data, such as applications for e-commerce or health. When dealing with sensitive data, classical authentication solutions based on username-password pairs are not enough, and multi-factor authentication solutions that combine two or more authentication factors of different categories are required instead. Even if several solutions are currently used, their security analyses have been performed informally or semiformally at best, and without a reference model and a precise definition of the multi-factor authentication property. This makes a comparison among the different solutions both complex and potentially misleading. In this article, we first present the design of two reference models for native applications based on the requirements of two real-world use-case scenarios. Common features between them are the use of one-time password approaches and the support of a single sign-on experience. Then, we provide a formal specification of our threat model and the security goals, and discuss the automated security analysis that we performed. Our formal analysis validates the security goals of the two reference models we propose and provides an important building block for the formal analysis of different multi-factor authentication solutions.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Discussionmentioning

confidence: 99%

Section: Activation Phase Of Rm Totp and Rm Crmentioning

confidence: 99%

See 1 more Smart Citation

Formal Analysis of Mobile Multi-Factor Authentication with Single Sign-On Login

Sciarretta¹,

Carbone²,

Ranise³

et al. 2020

ACM Trans. Priv. Secur.

View full text Add to dashboard Cite

show abstract

“…Our proposed key generator passes all the statistical tests and proven to be random. Researchers currently use two main approaches to verify security protocols, namely, provable security and the formal method approaches [45], [46], [47]. PProvable security defines a rigorous framework to describe and prove cryptographic properties from a mathematical point of view.…”

Section: Randomness Evaluationmentioning

confidence: 99%

An Efficient Key Management and Multi-Layered Security Framework for SCADA Systems

Upadhyay

Zaman

Joshi

et al. 2022

IEEE Trans. Netw. Serv. Manage.

View full text Add to dashboard Cite

Supervisory Control and Data Acquisition (SCADA) networks play a vital role in industrial control systems. Industrial organizations perform operations remotely through SCADA systems to accelerate their processes. However, this enhancement in network capabilities comes at the cost of exposing the systems to cyber-attacks. Consequently, effective solutions are required to secure industrial infrastructure as cyber-attacks on SCADA systems can have severe financial and/or safety implications. Moreover, SCADA field devices are equipped with microcontrollers for processing information and have limited computational power and resources. This makes the deployment of sophisticated security features challenging. As a result, effective lightweight cryptography solutions are needed to strengthen the security of industrial plants against cyber threats. In this paper, we have proposed a multi-layered framework by combining both symmetric and asymmetric key cryptographic techniques to ensure high availability, integrity, confidentiality, authentication and scalability. Further, an efficient session key management mechanism is proposed by merging random number generation with a hashed message authentication code. Moreover, for each session, we have introduced three symmetric key cryptography techniques based on the concept of Vernam cipher and a preshared session key, namely, random prime number generator, prime counter, and hash chaining. The proposed scheme satisfies the SCADA requirements of real-time request response mechanism by supporting broadcast, multicast, and point to point communication.

show abstract

“…An attack vector that compromises the FIDO client is theoretically similar to our attack vector, but previous works do not provide details of the attack scenarios. Pereira et al [34] and Jacomme and Kremer [35] modeled the FIDO authentication process and formally analyzed the protocol phase by phase using the ProVerif tool. ey validated security of various threat scenarios that may occur in practical environments.…”

Section: Related Workmentioning

confidence: 99%

Security Analysis and Bypass User Authentication Bound to Device of Windows Hello in the Wild

Kim

Choi

2021

Security and Communication Networks

View full text Add to dashboard Cite

Windows Hello is a Fast IDentity Online- (FIDO-) based new login system for Windows 10, which provides a single sign-on (SSO) service to diverse online applications. Hardware protection is essential for Window Hello’s security. This paper aims to examine the security of Windows Hello on a device where hardware protection is unavailable. We present the first detailed analysis of Windows Hello’s security. The results show that, on a hardware-unsupported device, the authentication data for Windows Hello is not properly protected. We propose a migration attack to compromise Windows Hello’s security. In the proposed attack, an attacker extracts authentication data from a device to impersonate a victim in his or her Microsoft online account. We consider the possibility of such an attack to be serious and harmful to our society and demand immediate attention for remediation.

show abstract

An extensive formal analysis of multi-factor authentication protocols

Cited by 5 publications

References 10 publications

Formal Analysis of Mobile Multi-Factor Authentication with Single Sign-On Login

Formal Analysis of Mobile Multi-Factor Authentication with Single Sign-On Login

An Efficient Key Management and Multi-Layered Security Framework for SCADA Systems

Security Analysis and Bypass User Authentication Bound to Device of Windows Hello in the Wild

Contact Info

Product

Resources

About